SSH Agent Error: "error: Error: AppError { error: could not authenticate with ssh agent ..."

ghosts
ghosts
Community Member
edited September 2022 in SSH

Hi,

I've been using SSH agent in 1Password 8 for both signing my commits and for authentication (push/pull).

The past couple of days I've been having this issue on my intel mac where it would not authenticate with 1password.

This is the error

error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }

I tried it in multiple terminal emulators (iTerm, Alacritty, macOS Terminal).

The problem does not resolve when I restart my mac.

I tried enabling and disabling the SSH Agent but that didn't help. Would appreciate some help with this because it makes this feature unusable (I'm unable to make commits/push/pull).

Comments

  • That is odd, does SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l still work and also show your signing key?

  • Do you have multiple accounts in 1Password that have different account passwords? If so, could you try locking 1Password and unlocking the account that has the key you've specified in your Gitconfig?

  • Aha, that explains it. Properly handling these "partially locked" scenarios in the agent is something we're working on at the moment.

  • ghosts
    ghosts
    Community Member

    My version:
    1Password for Mac 8.9.4, 80904044, on PRODUCTION channel
    Has 1 account only

    My mac info:
    macOS Monterey 12.6 (21G115) (Intel)

    The command does seem to list my keys:

    But commits/push/pull are still failing

    This issue is not present on my work computer (M1 mac laptop, running the same version of 1Password, with 2 accounts)

  • floris_1P
    edited September 2022

    Can you run this command from your repo directory:

    git config user.signingkey
    

    And confirm that that key is present in your ssh-add -L output?

  • ghosts
    ghosts
    Community Member

    @floris_1P yes the output of those two commands contains the same key.

    Weirdly enough it's working correctly again on my personal computer, all without any change or even restart on my part.
    but started having this same error on my M1 work computer. Not sure what to think of this 🤔

    I'll try running those commands again on my work computer tomorrow and report back

  • If you still get the error on your work computer, could you see if there's anything in the 1Password logs when you run a failing command? Logs on macOS are here: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • uws
    uws
    Community Member

    Hi @floris_1P – I am having the same issue as @ghosts. My intention is to simply use SSH for git (initially for one git user, and then later to add another). For now, I can't seem to get just one setup.

    Some knowns:

    • 1P is setup with two Organization accounts, one of which I am a member of, and another I am the owner of.
    • The key/signing in question are stored in a Private folder in the later (account that I own)
    • I am signed into both accounts on Mac M1 Desktop App

    Here are some relevant outputs if helpful:

    $ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l

    256 SHA256:-----KAKmM Github Access (ED25519)
    256 SHA256:-----jNFvQ Github Signing (ED25519)
    

    $ git config user.signingkey

    ssh-ed25519 -----WOWk0
    
    

    $ssh-add -L

    The agent has no identities.

    $ .ssh % cat config

    Host *
        IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
    
    

    I'm happy to share known_hosts, known_hosts.old and id.rsa if needed as well.

    And same as @ghosts, I am encountering the same issue:

    error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }
    
    fatal: failed to write commit object
    

    Would love some help as when you google this only one result (this community page) appears.

    Thanks in advance!
    Jacob

  • @uws Does this command return your signing key?

    SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -L | grep "$(git config user.signingkey)"
    

    If so, does anything appear in the 1Password logs when a commit fails? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • uws
    uws
    Community Member

    @floris_1P – thanks for your reply.

    This returns nothing:

    SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -L | grep "$(git config user.signingkey)"
    
    

    This returns:
    zsh: no such file or directory: /path/to/dir

    ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • ebridges
    ebridges
    Community Member

    @floris_1P I'm getting the exact same issue that was reported by @uws

    The command: SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -L | grep "$(git config user.signingkey)" is returning the correct key.

    The console shows the following error when trying to commit:

    $ git commit -S -m 'test message'
    error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }
    
    fatal: failed to write commit object
    

    The log file 1Password_rCURRENT.log shows the following when it fails:

    INFO  2022-10-21T12:33:53.140 tokio-runtime-worker(ThreadId(277)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    INFO  2022-10-21T12:33:53.147 tokio-runtime-worker(ThreadId(277)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    ERROR 2022-10-21T12:33:53.149 tokio-runtime-worker(ThreadId(5)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(BiometryUnavailable)
    INFO  2022-10-21T12:33:53.149 tokio-runtime-worker(ThreadId(5)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized
    
  • hanpq
    hanpq
    Community Member
    edited October 2022

    I had this to on Windows, exact same error message and "session was not authorized" in the logs. However I figured out the cause in my case. I was using Remote Desktop to connect to the machine. And if I use the computer directly it works just fine.

    It seems to me Windows disables Windows Hello when connecting through a remote session and I guess 1Password fails to invoke authentication with Windows Hello which if I've understood it correctly this feature relies upon.

    (At first glanse it might make sense to disable Windows Hello due to the biometric features however PIN would still work in a remote session in my opinion but that is a topic for Microsoft i guess)

    I do realize that this is probably a limitation in Windows/Windows Hello but might I suggest that the op-ssh-agent.exe could verify if Windows Hello is available and if not throw a suitable error message?

    Just trowing this out there as a possible cause if anyone else experiences this on Windows as well :)

  • ghosts
    ghosts
    Community Member

    @floris_1P The issue returned... :(

    Here are the log messages I'm seeing after it happens:

    INFO  2022-10-22T01:07:36.382 tokio-runtime-worker(ThreadId(9)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:81] failed to find NSApplication related to pid 3138
    INFO  2022-10-22T01:07:36.398 tokio-runtime-worker(ThreadId(1168)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    INFO  2022-10-22T01:07:36.412 tokio-runtime-worker(ThreadId(1168)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    ERROR 2022-10-22T01:07:36.419 tokio-runtime-worker(ThreadId(9)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(BiometryUnavailable)
    INFO  2022-10-22T01:07:36.419 tokio-runtime-worker(ThreadId(9)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized
    

    To add more background: I use my macOS laptop with Touch ID closed and rely on Apple Watch for Biometric sign in. I tried opening the laptop and trying again then all of a sudden it started working (even after closing the lid again, as long as I authenticated with TouchID - maybe because at this point it's cached but when the auth expires it will stop working again). I hope this helps debug the issue.

  • Foosh135
    Foosh135
    Community Member

    Hey all, I had the exact same problem as @ghosts, and I was able to fix the problem on my own (without following any of the above suggestions).

    Turns out, the public key stored in my 1Pass SSH key didn't match the output of git config user.signingkey for some weird reason.
    The fix was to simply open my ~/.gitconfig file and manually replace the value of user.signingkey so that it matched the key stored in 1Pass. After I saved the file and closed it, the problem went away (I was able to authenticate my commits again).

    Hopefully this tip will help someone else here!

  • ghosts
    ghosts
    Community Member
    edited October 2022

    @Foosh135 are you sure the error stacktrace including line number you got matches the stacktrace I posted at the top of the post? I know for a fact that the fix you’re describing isn’t related to what I’m experiencing because it works on and off based on biometric sensor availability (as indicated by the logs).

    (Line 95 col 37)

    If it does match it could be that the stacktrace just points to the generic error handler they have in their cli.

  • Foosh135
    Foosh135
    Community Member

    @ghosts yup, my stacktrace matched yours exactly, down to the line 95 col 37 part.

    $ git commit -m "Modified README"
    error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }

    fatal: failed to write commit object

  • myusuf3
    myusuf3
    Community Member

    I am experiencing the same thing today as well with nothing changing in my setup either.

  • myusuf3
    myusuf3
    Community Member

    Removing the ssh signing seems to have fixed it. FYI I only have one account logged into the client.

  • myusuf3
    myusuf3
    Community Member

    I am now getting another error

    sign_and_send_pubkey: signing failed for RSA "" from agent: agent refused operation

  • MayMeow
    MayMeow
    Community Member
    edited November 2022

    @hanpq I had exact same issue wihich i "fixed" with installing OpenSSH from Microsoft's (powershell/Win32-OpenSSH) GitHub repository and it's not working at all (but i get rid of that error message :D)

    It's now telling me (when I try to sign commits) that I have to have my private keys stored in Private/Personal Vault, where they exactly are. (My Vault has name: Personal)

    Other behavior are exactly the same as before:

    • ssh-add -L tells that it don't have any identities
    • trying to authenticate to servers returns message about that my public key is in invalid format.

    Note: I'm currently on beta channel, and I had installed application from production and from nightly channel before as well.

  • jamiefolsom
    jamiefolsom
    Community Member

    Same issue here as well -- I also am running an intel mac laptop with touch id, but lid closed, and a paired apple watch attempting to allow confirmation, as was @ghosts. Updating signing key in ~/.gitconfig had no effect.

  • DudeThatsErin
    DudeThatsErin
    Community Member

    No update from 1P support? Why? This is a pretty big issue

This discussion has been closed.